Manage the HTTPS certificate from the menu and ask Safari users to in… #321
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - "[0-9]+.[0-9]+.[0-9]+*" | |
| permissions: | |
| contents: write | |
| id-token: write # This is required for requesting the JWT | |
| env: | |
| # As defined by the Taskfile's PROJECT_NAME variable | |
| PROJECT_NAME: arduino-create-agent | |
| TARGET: "/CreateAgent/Stable/" | |
| VERSION_TARGET: "arduino-create-static/agent-metadata/" | |
| AWS_REGION: "us-east-1" # or https://github.com/aws/aws-cli/issues/5623 | |
| KEYCHAIN: "sign.keychain" | |
| KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret | |
| GON_CONFIG_PATH: gon.config.hcl | |
| INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12" | |
| AC_USERNAME: ${{ secrets.AC_USERNAME }} # used by gon | |
| AC_PASSWORD: ${{ secrets.AC_PASSWORD }} # used by gon | |
| AC_PROVIDER: ${{ secrets.AC_PROVIDER }} # used by gon | |
| # See: https://github.com/actions/setup-go/tree/v3#readme | |
| GO_VERSION: "1.21" | |
| jobs: | |
| # The build job is responsible for: configuring the environment, testing and compiling process | |
| build: | |
| outputs: | |
| prerelease: ${{ steps.prerelease.outputs.IS_PRE }} | |
| strategy: | |
| matrix: | |
| os: [ubuntu-20.04, windows-2019, macos-12] | |
| arch: [amd64] | |
| include: | |
| - os: windows-2019 | |
| arch: 386 | |
| ext: ".exe" | |
| - os: windows-2019 | |
| ext: ".exe" | |
| defaults: | |
| run: | |
| shell: bash | |
| # by default disable CGO, it's not needed (except on macos) | |
| env: | |
| CGO_ENABLED: 0 | |
| runs-on: ${{ matrix.os }} | |
| environment: production | |
| steps: | |
| - name: Set env vars | |
| run: | | |
| echo "TAG_VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV | |
| echo $(go env GOPATH)/bin >> $GITHUB_PATH | |
| - name: Identify Prerelease | |
| # This is a workaround while waiting for create-release action to implement auto pre-release based on tag | |
| id: prerelease | |
| run: | | |
| curl -L -s https://github.com/fsaintjacques/semver-tool/archive/3.1.0.zip -o /tmp/3.1.0.zip | |
| unzip -p /tmp/3.1.0.zip semver-tool-3.1.0/src/semver >/tmp/semver && chmod +x /tmp/semver | |
| if [[ $(/tmp/semver get prerel ${GITHUB_REF/refs\/tags\//}) ]]; then echo "IS_PRE=true" >> $GITHUB_OUTPUT; fi | |
| - name: Disable EOL conversions | |
| run: git config --global core.autocrlf false | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install Go deps | |
| run: go install github.com/sanbornm/go-selfupdate/...@latest | |
| - name: Install Taskfile | |
| uses: arduino/setup-task@v2 | |
| with: | |
| version: "3.x" | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build the Agent for linux | |
| run: task go:build | |
| if: matrix.os == 'ubuntu-20.04' | |
| # the manifest is required by windows GUI apps, otherwise the binary will crash with: "Unable to create main window: TTM_ADDTOOL failed" (for reference https://github.com/lxn/walk/issues/28) | |
| # rsrc will produce a *.syso file that should get automatically recognized by go build command and linked into an executable. | |
| - name: Download tool to embed manifest in win binary | |
| run: go install github.com/akavel/rsrc@latest | |
| if: matrix.os == 'windows-2019' | |
| # building the agent for win requires a different task because of an extra flag | |
| - name: Build the Agent for win32 | |
| env: | |
| GOARCH: 386 # 32bit architecture (for support) | |
| run: task go:build-win | |
| if: matrix.os == 'windows-2019' && matrix.arch == '386' | |
| - name: Build the Agent for win64 | |
| run: task go:build-win # GOARCH=amd64 by default on the runners | |
| if: matrix.os == 'windows-2019' && matrix.arch == 'amd64' | |
| - name: Build the Agent for macos | |
| env: | |
| CGO_ENABLED: 1 | |
| MACOSX_DEPLOYMENT_TARGET: 10.15 # minimum supported version for mac | |
| CGO_CFLAGS: -mmacosx-version-min=10.15 | |
| CGO_LDFLAGS: -mmacosx-version-min=10.15 | |
| run: task go:build | |
| if: matrix.os == 'macos-12' | |
| # this will create `public/` dir with compressed full bin (<version>/<os>-<arch>.gz) and a json file | |
| - name: Create autoupdate files | |
| run: go-selfupdate ${{ env.PROJECT_NAME }}${{ matrix.ext }} ${TAG_VERSION} | |
| if: matrix.arch != '386' && steps.prerelease.outputs.IS_PRE != 'true' | |
| # for now we do not distribute m1 build, this is a workaround for now | |
| - name: Copy autoupdate file for darwin-arm64 (m1 arch) | |
| working-directory: public/ | |
| run: | | |
| cp darwin-amd64.json darwin-arm64.json | |
| cp ${TAG_VERSION}/darwin-amd64.gz ${TAG_VERSION}/darwin-arm64.gz | |
| if: matrix.os == 'macos-12' && steps.prerelease.outputs.IS_PRE != 'true' | |
| - name: Create autoupdate files for win32 | |
| run: go-selfupdate -platform windows-${{ matrix.arch }} ${{ env.PROJECT_NAME }}${{ matrix.ext }} ${TAG_VERSION} | |
| if: matrix.arch == '386' && matrix.os == 'windows-2019' && steps.prerelease.outputs.IS_PRE != 'true' | |
| - name: configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
| role-session-name: "github_${{ env.PROJECT_NAME }}" | |
| aws-region: ${{ env.AWS_REGION }} | |
| if: steps.prerelease.outputs.IS_PRE != 'true' | |
| - name: Upload autoupdate files to Arduino downloads servers | |
| run: | | |
| aws s3 sync public/ s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.TARGET }} | |
| if: steps.prerelease.outputs.IS_PRE != 'true' | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ${{ env.PROJECT_NAME }}-${{ matrix.os }}-${{ matrix.arch }} | |
| path: | | |
| ${{ env.PROJECT_NAME }}* | |
| if-no-files-found: error | |
| create-macos-bundle: | |
| needs: build | |
| # for not they are exaclty the same | |
| strategy: | |
| matrix: | |
| arch: [amd64, arm64] | |
| runs-on: macos-12 | |
| env: | |
| EXE_PATH: "skel/ArduinoCreateAgent.app/Contents/MacOS/" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: "bcmi-labs/arduino-create-agent-installer" # the repo which contains the bundle structure and icons | |
| token: ${{ secrets.ARDUINO_CREATE_AGENT_CI_PAT }} | |
| - name: Download artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: ${{ env.PROJECT_NAME }}-macos-12-amd64 # if we want to support darwin-arm64 in the future for real this has to change. | |
| path: ${{ env.EXE_PATH }} | |
| - name: Remove placeholder file | |
| run: rm -rf ${{ env.EXE_PATH }}.empty | |
| # zip artifacts do not mantain executable permission | |
| - name: Make executable | |
| run: chmod -v +x ${{ env.EXE_PATH }}${{ env.PROJECT_NAME }} | |
| - name: Rename executable to Arduino_Create_Agent | |
| run: mv -v ${{ env.EXE_PATH }}${{ env.PROJECT_NAME }} ${{ env.EXE_PATH }}Arduino_Create_Agent | |
| - name: get year | |
| run: echo "YEAR=$(date "+%Y")" >> $GITHUB_ENV | |
| - name: Generate Info.plist for MacOS | |
| run: | | |
| cat > skel/ArduinoCreateAgent.app/Contents/Info.plist <<EOF | |
| <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleInfoDictionaryVersion</key><string>6.0</string> | |
| <key>CFBundleIconFile</key> <string>AppIcon.icns</string> | |
| <key>CFBundleName</key> <string>Arduino Create Agent</string> | |
| <key>CFBundleExecutable</key> <string>Arduino_Create_Agent</string> | |
| <key>CFBundleIdentifier</key> <string>create.arduino.cc</string> | |
| <key>CFBundleVersion</key> <string>${GITHUB_REF##*/}</string> | |
| <key>NSHumanReadableCopyright</key> <string>© Copyright ${{ env.YEAR }} Arduino LLC</string> | |
| <key>CFBundleShortVersionString</key> <string>${GITHUB_REF##*/}</string> | |
| <key>LSUIElement</key> <true/> | |
| <!-- Needed for Apache Callback --> | |
| <key>NSPrincipalClass</key><string>NSApplication</string> | |
| <key>NSMainNibFile</key><string>MainMenu</string> | |
| </dict></plist> | |
| EOF | |
| - name: Tar bundle to keep permissions | |
| run: tar -cvf ArduinoCreateAgent.app_${{ matrix.arch }}.tar -C skel/ . | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| if-no-files-found: error | |
| name: ArduinoCreateAgent.app_${{ matrix.arch }} | |
| path: ArduinoCreateAgent.app_${{ matrix.arch }}.tar | |
| # The notarize-macos job will download the macos bundle from the previous job, sign, notarize and re-upload it, uploading it also on s3 download servers for the autoupdate. | |
| notarize-macos: | |
| name: Notarize bundle | |
| # for now they are exaclty the same | |
| strategy: | |
| matrix: | |
| arch: [amd64, arm64] | |
| runs-on: macos-12 | |
| env: | |
| GON_PATH: ${{ github.workspace }}/gon | |
| needs: [build, create-macos-bundle] | |
| environment: production | |
| steps: | |
| - name: Download artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: ArduinoCreateAgent.app_${{ matrix.arch }} | |
| - name: un-Tar bundle | |
| run: tar -xvf ArduinoCreateAgent.app_${{ matrix.arch }}.tar | |
| - name: Import Code-Signing Certificates | |
| run: | | |
| echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}" | |
| security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" | |
| security default-keychain -s "${{ env.KEYCHAIN }}" | |
| security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" | |
| security import \ | |
| "${{ env.INSTALLER_CERT_MAC_PATH }}" \ | |
| -k "${{ env.KEYCHAIN }}" \ | |
| -f pkcs12 \ | |
| -A \ | |
| -T "/usr/bin/codesign" \ | |
| -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}" | |
| security set-key-partition-list \ | |
| -S apple-tool:,apple: \ | |
| -s \ | |
| -k "${{ env.KEYCHAIN_PASSWORD }}" \ | |
| "${{ env.KEYCHAIN }}" | |
| - name: Install gon for code signing | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: darkvertex/gon #this fork has support for --deep notarization | |
| path: ${{ env.GON_PATH }} | |
| ref: deep_sign_support | |
| - name: Build gon | |
| working-directory: ${{ env.GON_PATH }}/cmd/gon/ | |
| run: | | |
| ls -lah | |
| go build | |
| mv gon /usr/local/bin | |
| - name: Write gon config to file | |
| # gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20) | |
| run: | | |
| cat > "${{ env.GON_CONFIG_PATH }}" <<EOF | |
| # See: https://github.com/mitchellh/gon#configuration-file | |
| source = ["ArduinoCreateAgent.app"] | |
| bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}" | |
| sign { | |
| application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)" | |
| deep = true | |
| } | |
| EOF | |
| - name: Sign app bundle | |
| run: gon -log-level=debug -log-json "${{ env.GON_CONFIG_PATH }}" | |
| - name: Zip output app bundle | |
| run: ditto -c -k ArduinoCreateAgent.app/ ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip | |
| - name: Remove gon used for code signing | |
| run: | | |
| rm /usr/local/bin/gon | |
| rm ${{ env.GON_CONFIG_PATH }} | |
| - name: Install gon for app notarization | |
| run: | | |
| wget -q https://github.com/Bearer/gon/releases/download/v0.0.27/gon_macos.zip | |
| unzip gon_macos.zip -d /usr/local/bin | |
| - name: Write gon config to file | |
| run: | | |
| cat > "${{ env.GON_CONFIG_PATH }}" <<EOF | |
| # See: https://github.com/Bearer/gon#configuration-file | |
| notarize { | |
| path = "ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip" | |
| bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}" | |
| } | |
| EOF | |
| - name: Notarize app bundle | |
| run: | | |
| gon -log-level=debug -log-json "${{ env.GON_CONFIG_PATH }}" | |
| - name: configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
| role-session-name: "github_${{ env.PROJECT_NAME }}" | |
| aws-region: ${{ env.AWS_REGION }} | |
| if: ${{ needs.build.outputs.prerelease != 'true' }} | |
| - name: Upload autoupdate bundle to Arduino downloads servers | |
| run: aws s3 cp ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.TARGET }}${GITHUB_REF/refs\/tags\//}/ # the version should be created in th the build job | |
| if: ${{ needs.build.outputs.prerelease != 'true' }} | |
| - name: Generate json file used for the new autoupdate | |
| run: | | |
| cat > darwin-${{ matrix.arch }}-bundle.json <<EOF | |
| { | |
| "Version": "${GITHUB_REF/refs\/tags\//}", | |
| "Sha256": "$(shasum -a 256 ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip | awk '{print $1}' | xxd -r -p | base64)" | |
| } | |
| EOF | |
| if: ${{ needs.build.outputs.prerelease != 'true' }} | |
| - name: Upload autoupdate files to Arduino downloads servers | |
| run: | | |
| aws s3 cp darwin-${{ matrix.arch }}-bundle.json s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.TARGET }} | |
| if: ${{ needs.build.outputs.prerelease != 'true' }} | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ArduinoCreateAgent.app_${{ matrix.arch }}_notarized | |
| path: ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip | |
| if-no-files-found: error | |
| # This job is responsible for generating the installers (using installbuilder) | |
| package: | |
| needs: build | |
| runs-on: ubuntu-20.04 | |
| env: | |
| # vars used by installbuilder | |
| INSTALLBUILDER_PATH: "/opt/installbuilder-23.11.0/bin/builder" | |
| INSTALLER_VARS: "project.outputDirectory=$PWD project.version=${GITHUB_REF##*/} workspace=$PWD realname=Arduino_Create_Agent" | |
| # installbuilder will read this vars automatically (defined in installer.xml): | |
| INSTALLER_CERT_WINDOWS_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }} | |
| INSTALLER_CERT_WINDOWS_PFX: "/tmp/ArduinoCerts2020.pfx" | |
| strategy: | |
| fail-fast: false # if one os is failing continue nonetheless | |
| matrix: # used to generate installers for different OS and not for runs-on | |
| os: [ubuntu-20.04, windows-2019] | |
| arch: [amd64] | |
| include: | |
| - os: ubuntu-20.04 | |
| platform-name: linux | |
| installbuilder-name: linux-x64 | |
| installer-extension: .run | |
| - os: windows-2019 | |
| arch: 386 | |
| platform-name: windows | |
| installbuilder-name: windows | |
| extension: .exe | |
| installer-extension: .exe | |
| - os: windows-2019 | |
| platform-name: windows | |
| installbuilder-name: windows | |
| extension: .exe | |
| installer-extension: .exe | |
| container: | |
| image: floydpink/ubuntu-install-builder:23.11.0 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: "bcmi-labs/arduino-create-agent-installer" # the repo which contains install.xml | |
| token: ${{ secrets.ARDUINO_CREATE_AGENT_CI_PAT }} | |
| - name: Download artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: ${{ env.PROJECT_NAME }}-${{ matrix.os }}-${{ matrix.arch }} | |
| path: artifacts/${{ matrix.platform-name }}/ # path expected by installbuilder | |
| # zip artifacts do not mantain executable permission | |
| - name: Make executable | |
| run: chmod -v +x artifacts/${{ matrix.platform-name }}/${{ env.PROJECT_NAME }}* | |
| if: matrix.os == 'ubuntu-20.04' | |
| - name: Rename executable to Arduino_Create_Agent | |
| run: mv -v artifacts/${{ matrix.platform-name }}/${{ env.PROJECT_NAME }}${{ matrix.extension }} artifacts/${{ matrix.platform-name }}/Arduino_Create_Agent${{ matrix.extension }} | |
| - name: Save InstallBuilder license to file | |
| run: echo "${{ secrets.INSTALLER_LICENSE }}" > /tmp/license.xml | |
| - name: Save Win signing certificate to file | |
| run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_PFX }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_PFX}} | |
| if: matrix.os == 'windows-2019' | |
| # installbuilder reads the env vars with certs paths and use it to sign the installer. | |
| - name: Launch Bitrock installbuilder | |
| run: ${{ env.INSTALLBUILDER_PATH }} build installer.xml ${{ matrix.installbuilder-name }} --verbose --license /tmp/license.xml --setvars ${{ env.INSTALLER_VARS }} architecture=${{ matrix.arch }} | |
| - name: Generate archive | |
| run: tar -czvf ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.platform-name }}-${{ matrix.arch }}-installer.tar.gz ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.platform-name }}-${{ matrix.arch }}-installer${{matrix.installer-extension}} | |
| if: matrix.os == 'ubuntu-20.04' | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ArduinoCreateAgent-${{ matrix.platform-name }}-${{ matrix.arch }} | |
| path: ArduinoCreateAgent* | |
| if-no-files-found: error | |
| # This job will generate a dmg mac installer, sign/notarize it. | |
| generate-sign-dmg: | |
| needs: notarize-macos | |
| strategy: | |
| matrix: | |
| arch: [amd64] | |
| runs-on: macos-12 | |
| steps: | |
| - name: Checkout repo with icons/background | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: "bcmi-labs/arduino-create-agent-installer" # the repo which contains the icons/background | |
| token: ${{ secrets.ARDUINO_CREATE_AGENT_CI_PAT }} | |
| - name: Download artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: ArduinoCreateAgent.app_${{ matrix.arch }}_notarized | |
| path: ArduinoCreateAgent.app | |
| - name: unzip artifact | |
| working-directory: ArduinoCreateAgent.app | |
| run: | | |
| unzip ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip | |
| rm ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip | |
| - name: Install create-dmg | |
| run: brew install create-dmg | |
| - name: Genarate DMG | |
| run: | | |
| create-dmg \ | |
| --volname "ArduinoCreateAgent" \ | |
| --background "installer_icons/background.tiff" \ | |
| --window-pos 200 120 \ | |
| --window-size 500 320 \ | |
| --icon-size 80 \ | |
| --icon "ArduinoCreateAgent.app" 125 150 \ | |
| --app-drop-link 375 150 \ | |
| "ArduinoCreateAgent-${GITHUB_REF##*/}-osx-${{ matrix.arch }}-installer.dmg" \ | |
| "ArduinoCreateAgent.app" | |
| - name: Import Code-Signing Certificates | |
| run: | | |
| echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}" | |
| security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" | |
| security default-keychain -s "${{ env.KEYCHAIN }}" | |
| security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" | |
| security import \ | |
| "${{ env.INSTALLER_CERT_MAC_PATH }}" \ | |
| -k "${{ env.KEYCHAIN }}" \ | |
| -f pkcs12 \ | |
| -A \ | |
| -T "/usr/bin/codesign" \ | |
| -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}" | |
| security set-key-partition-list \ | |
| -S apple-tool:,apple: \ | |
| -s \ | |
| -k "${{ env.KEYCHAIN_PASSWORD }}" \ | |
| "${{ env.KEYCHAIN }}" | |
| - name: Install gon for code signing and app notarization | |
| run: | | |
| wget -q https://github.com/Bearer/gon/releases/download/v0.0.36/gon_macos.zip | |
| unzip gon_macos.zip -d /usr/local/bin | |
| - name: Write gon config to file | |
| # gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20) | |
| run: | | |
| cat > gon.config_installer.hcl <<EOF | |
| source = ["ArduinoCreateAgent-${GITHUB_REF##*/}-osx-${{ matrix.arch }}-installer.dmg"] | |
| bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}-installer" | |
| sign { | |
| application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)" | |
| } | |
| # Ask Gon for zip output to force notarization process to take place. | |
| zip { | |
| output_path = "ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip" | |
| } | |
| EOF | |
| - name: Code sign and notarize app | |
| run: gon -log-level=debug -log-json gon.config_installer.hcl | |
| # tar dmg file to keep executable permission | |
| - name: Tar files to keep permissions | |
| run: tar -cvf ArduinoCreateAgent-${GITHUB_REF##*/}-osx-${{ matrix.arch }}-installer.tar ArduinoCreateAgent-${GITHUB_REF##*/}-osx-${{ matrix.arch }}-installer.dmg | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ArduinoCreateAgent-osx-${{ matrix.arch }} | |
| path: ArduinoCreateAgent*.tar | |
| if-no-files-found: error | |
| create-release: | |
| runs-on: ubuntu-20.04 | |
| environment: production | |
| needs: [build, package, generate-sign-dmg] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # fetch all history for the create changelog step to work properly | |
| - name: Download artifact | |
| uses: actions/download-artifact@v3 # download all the artifacts | |
| # mandatory step because upload-release-action does not support multiple folders | |
| - name: prepare artifacts for the release | |
| run: | | |
| mkdir release | |
| chmod -v +x ArduinoCreateAgent-linux-amd64/*.run | |
| mv -v ArduinoCreateAgent-linux-amd64/* release/ | |
| cat ArduinoCreateAgent-osx-amd64/*.tar | tar -xvf - -i -C release/ | |
| rm -v release/._ArduinoCreateAgent*.dmg | |
| mv -v ArduinoCreateAgent-windows*/* release/ | |
| - name: VirusTotal Scan | |
| id: virustotal_step | |
| uses: crazy-max/ghaction-virustotal@v4 | |
| with: | |
| vt_api_key: ${{ secrets.VIRUSTOTAL_API_KEY }} | |
| update_release_body: false # `true` won't work because trigger type is not release | |
| files: | | |
| release/*.exe | |
| ${{ env.PROJECT_NAME }}-windows-2019-386/${{ env.PROJECT_NAME }}.exe | |
| ${{ env.PROJECT_NAME }}-windows-2019-amd64/${{ env.PROJECT_NAME }}.exe | |
| - name: Create changelog | |
| uses: arduino/create-changelog@v1 | |
| with: | |
| tag-regex: '^[0-9]+\.[0-9]+\.[0-9]+.*$' | |
| filter-regex: '^\[(skip|changelog)[ ,-](skip|changelog)\].*' | |
| case-insensitive-regex: true | |
| changelog-file-path: "CHANGELOG.md" | |
| - name: Organize release body message #use sed to clean and format the output markdown style | |
| id: release_body | |
| run: | | |
| echo "RBODY<<EOF" >> $GITHUB_OUTPUT | |
| echo "$(cat CHANGELOG.md)" >> $GITHUB_OUTPUT | |
| echo "<details close>" >> $GITHUB_OUTPUT | |
| echo "<summary>VirusTotal analysis 🛡</summary>" >> $GITHUB_OUTPUT | |
| echo "" >> $GITHUB_OUTPUT | |
| echo "$(echo ${{ steps.virustotal_step.outputs.analysis}} | sed 's/release\///g' | sed 's/,/\n/g' | sed 's/^/- [/' | sed 's/=/](/' | sed 's/$/)/')" >> $GITHUB_OUTPUT | |
| echo "</details>" >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| - name: Create Github Release and upload artifacts | |
| uses: ncipollo/release-action@v1 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| body: ${{ steps.release_body.outputs.RBODY}} | |
| draft: false | |
| prerelease: ${{ needs.build.outputs.prerelease }} | |
| # NOTE: "Artifact is a directory" warnings are expected and don't indicate a problem | |
| # (all the files we need are in the DIST_DIR root) | |
| artifacts: release/* | |
| - name: configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
| role-session-name: "github_${{ env.PROJECT_NAME }}" | |
| aws-region: ${{ env.AWS_REGION }} | |
| if: ${{ needs.build.outputs.prerelease != 'true' }} | |
| - name: Upload release files on Arduino downloads servers | |
| run: aws s3 sync release/ s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.TARGET }} | |
| if: ${{ needs.build.outputs.prerelease != 'true' }} | |
| - name: Update version file (used by frontend to trigger autoupdate and create filename) | |
| run: | | |
| echo {\"Version\": \"${GITHUB_REF##*/}\"} > /tmp/agent-version.json | |
| # TODO remove this when we will have a new frontend | |
| aws s3 cp /tmp/agent-version.json s3://${{ env.VERSION_TARGET }} | |
| aws s3 cp /tmp/agent-version.json s3://${{ secrets.DOWNLOADS_BUCKET }}/agent-metadata/ | |
| if: ${{ needs.build.outputs.prerelease != 'true' }} |